ShadowFuzzer

The ShadowFuzzer is a fuzzing framework to find client-side vulnerabilities when processing incoming MQTT messages.

Paper

Trampoline Over the Air: Breaking in IoT Devices Through MQTT Brokers

Huikai Xu, Miao Yu, Yanhao Wang, Yue Liu, Qinsheng Hou, Zhenbang Ma, Haixin Duan, Jianwei Zhuge and Baojun Liu. Processdings of The 7th IEEE European Symposium on Security and Privacy, (EuroS&P) Genoa, June 6-10, 2022

Attack Model

The attack targets are the IoT devices communicating with the MQTT broker. The adversary aims to leverage the broker as a trampoline to transfer exploit messages to the target devices to trigger the vulnerabilities when processing the MQTT payload.

Overview of ShadowFuzzer

How to use?

Build ShadowBroker

First build the ShadowBroker and make the device (subscriber) to connect to the ShadowBroker by DNS redirection or other tricks.

Fuzzing

Boot the fuzzer

About

The fuzzing framework named SHADOWFUZZER to find clientside vulnerabilities when processing incoming MQTT messages.

Eclipse Public License 2.0

Languages

Language:C 66.0%Language:Python 21.3%Language:Roff 6.9%Language:Makefile 2.4%Language:C++ 1.6%Language:CMake 0.6%Language:HTML 0.5%Language:NSIS 0.4%Language:Shell 0.2%Language:Perl 0.1%Language:XSLT 0.1%